The date Jobs took to the stage to show off the very first Macintosh in a live demonstration
Cuuute.
It's apparently used as a magic timestamp for several things.
Mac App Store incomplete/in-progress downloads have it as the data modified date
*date
Man, that better be one of the trivia questions this year at MacTech.
Similar to how the Quicktime video capture in 10.10 of an attached iOS device always shows full wifi signal, no carrier ID, full battery charge - and the infamous 9:41 AM time
But I do remember my helicopter was forced to land after being damaged by a surface-to-air missile.
frogor
:D
foigus
Oooh, and did you chase llamas today
morecoffee has quit
tjm_jimm_ joined the channel
macmule
anyone else's Airwatch busted for enrolments?
ropav_ has quit
screw it... night all
tjm_jimmy has quit
macmule has left the channel
ropav joined the channel
Nick_ZWG
SUCCESS
Phase 1 of client ssl certs with Chef complete
Now phase 2 is to undo all of the terrible design decisions made by the original author of this cookbook
gneagle
Nick_ZWG: Why have you taken this upon yourself?
ksbex has quit
Nick_ZWG
A) To prove that it works and I can do it B) It will probably make the Facebookers happy and C) it's a good way to forcefully learn Ruby
Corey84 has quit
Primarily, the goal is to see if I can do a secure bootstrap of a machine, from out of box, with a secure SSL client cert connection to the munki server, using Chef
I already did it with Puppet
gneagle
Right, so why do it again with Chef?
Nick_ZWG
Because tbh I don't think I'm going to end up using puppet
gneagle
Bored?
frogor
Because he doesn't climb moutains physically, only metaphorically.
*mountains
Nick_ZWG
Ehhh, I wouldn't say boredom so much as experimentation
And it might benefit someone
frogor
Nick_ZWG: What's the appeal of chef over puppet for you? What does it do differently that you like more?
T-roy has quit
Nick_ZWG
frogor: Doesn't require a big honking server to do all the hard work
If I was going to use puppet, it'd have to be masterless, I think
but if I used masterless puppet, that removes part of the value of having it set up client certs
quovadimus has quit
frogor
Ah. So without a server centric design, chef is still using client certs / able to issue them?
Or is this something you created for chef that it didn't have before?
Nick_ZWG
frogor: Little of both. Chef doesn't use client certs by itself.
But there's a cookbook for creating a CA, and it can be used to generate certs on nodes
Simple cert storage / generation has very little resource use, so it's easy to handle.
The problem is that the x509 cookbook for Chef is dumb and has been abandoned by the author
And since I happen to not have any huge projects on my plate right now, fixing x509 for chef seems like a fun thing to do
The main problem with the original is that it doesn't work on OS X out of the box
halloweenhead has quit
frogor
Nick_ZWG: Before or after OS X went to ruby 2.0 by default? ;)
Nick_ZWG
That's not the problem. The problem is that the recipe explicitly tries to create a file owned by 'root' with group 'root'
'root' group no workey OS X
it also doesn't work if you pass it a certificate path that doesn't exist on the file system, it won't create it for you
So there were a number of things that had to be fixed
MiMMiC has quit
bochoven joined the channel
frogor
Interesting. So is there a mini web-service involved for the CA so that it auto-responses to CSRs ?
frogor looks
Nick_ZWG
No, it doesn't.
That's the biggest problem.
It requires manual intervention.
Someone on the server has to run chef-ssl sign <whatever> or chef-ssl autosign <whatever>
Fixing that is a much larger project, down the line
I can work around it for the moment
frogor
Well, I mean when you go (mostly) server-less, that becomes the problem with PKI: how do you verify a request for a client cert is legit? From whom does the authority/legitimacy descend?
I guess you could do a shared password. Or some sort of challenge response mechanism.
So the clients have the password but never send it over the clear / even during a HTTPS session.
halloweenhead joined the channel
Pretty easy to code that kinda thing.
rderewianko has quit
Nick_ZWG: Next thing you know you'll be designing an API and web service ;D
Nick_ZWG
Right. This was relatively easy with Puppet, because Puppet a) uses client certs out of the box and b) has a mechanism for policy-based signing
Which I was able to leverage very effectively.
elliotjordan has left the channel
This might be a bit of a fool's errand, but I want to recreate that behavior in Chef
elliotjordan joined the channel
foigus has quit
tsuter joined the channel
ibiwan has quit
frogor
Nick_ZWG: The results of a google search for: chef csr ca are not encouraging :) Unless you're excited about the prospect of blazing a new trail.
Nick_ZWG
Blazing new trails is fun!
frogor
Hey now, that's my motto.
:D
halloweenhead has quit
It is fun though.
chilcote has quit
Nick_ZWG
"Why did you implement a Munki-themed PKI setup in Chef?" "Because nobody else did!"
Seriously, though.
elliotjordan has left the channel
elliotjordan joined the channel
I'm totally getting into devops
DialsMavis has quit
frogor
Good. That's where all the fun is.
Sometimes I think people look at you though like you're the person bouncing up and down to go on the rollercoaster while they're sucking down Dramamine / motion sickness pills like they're going out of style.